Wednesday, November 30, 2011

There's a neat feature in ADFS in the web.config that displays exceptions on the error page which I find a MAJOR help when I'm configuring stuff.

Uncomment this piece:

!-- Display the exception message on the error page. Uncomment this, or add the key below to your
app settings if you want to see the exception message. The exception messages are localized in the
language of the server.--

add key="displayExceptions"

The web.config you need is here:

C:\inetpub\adfs\ls

So I changed the code in FormsSignIn to use an exception called exp instead of ex resulting in the error below.

"In more complex scenarios, the same clean-up request should be sent to any other STS involved in the federated session. To that end, the STS would have to have prior knowledge of the clean-up URI for each RP and STS. To support single sign-out, your RPs should be able to process these clean-up requests. Both the FAM and the FederatedPassiveSignInStatus control support this. If you’re using the FAM, the clean-up request can be posted to any URI at the RP and the FAM will process the request and clean up any session cookies. If you’re using the FederatedPassiveSignInStatus control, the clean-up request must be posted to a page that contains the control."

The service communications certificate is essentially the SSL certificate that you have configured for the SSL session on the IIS that hosts ADFS. (Yes - folks - it is basically an IIS site - look for it under \inetpub\adfs\ls).

When you configure the certificate for SSL, you need to give it the full name of the site e.g. "contuso.co.uk". Don't just give it the name "contuso". If you do, ADFS will reject it when you install ADFS and will ask for a certificate that has "dots" in it.

Actually, the real error is "ADFS requires full name for certificate".

I have an ASP.NET application that uses FBA and calls a web service that performs CRUD operations on a back-end system i.e. the ASP.NET application is the client.

I want to claims-enable this application. I don’t want to do anything re. federation with the web service. It should just run in the background as it currently does.

When I run FedUtil, I get the message:

“ID1032: A wcf application federated to a security token service requires an application certificate. Please select a certificate for your application.”

It seems that FedUtil is trying to secure the web service and not the browser application? If I supply a certificate and then look at the resulting web.config, FedUtil hasn't done any of the usual passive profile stuff e.g. commenting out the entire current authentication:

If I comment out the system.serviceModel section, FedUtil runs as expected.

I then un-comment the section and have a federated browser application with a non-federated web service.

This seems a very round-about way to achieve the objective.

Why does FedUtil only federate the web service?

How do you tell it to federate the browser functionality only? I would have thought that this was a common implementation?

Is there a better way to achieve this?

--------------------------------------------------------

So what FedUtil seems to do is scan the web.config. If it finds a system.serviceModel section, it assumes this is a WCF session (i.e. active) that you want to secure and off it goes. But in fact, it's the browser session (i.e. passive) that you want to secure.

"First you want to really make sure that there is not a web site known as W3SVC/1. Who knows, maybe someone had simply renamed your default web site or something. Open a command prompt and type this:

c:
cd\Inetpub\AdminScripts

cscript adsutil.vbs enum w3svc/1

If it comes up with "The path requested could not be found" then sure enough, you don't have a true default website anymore. If no error then check out the "ServerComment" to know which web the machine now thinks is the default."

OK - so its really gone. You can follow the rest of the article or simply recreate another one.

I decided to re-install IIS - who knows what else was screwed up?

Control Panel / Programs / Turn Windows features on or off.

Uncheck all the IIS stuff. Then OK - it's all removed.

Then check it all back again - OK - IIS will come back and you may or may not have a "Default Web Site".

If you don't, just add one - there's nothing special about it - it's just another web site.

Start / Administrative Tools / IIS Manager

Right click Sites / Add Web Site

Call it "Default Web Site". Point to:

C:\inetpub\wwwroot

You should now have it back - along with others that may have been in that directory.

Click "Default Web Site" / "Advanced settings". Check that the ID is 1. You are good to go!